private MX.X509Crl FindCrl(X509Certificate2 caCertificate) { string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None); string ski = GetSubjectKeyIdentifier(caCertificate); MX.X509Crl result = CheckCrls(subject, ski, LMCAStore.Store.Crls); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserCAStore.Store.Crls); if (result != null) { return(result); } } result = CheckCrls(subject, ski, LMRootStore.Store.Crls); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserRootStore.Store.Crls); if (result != null) { return(result); } } return(null); }
public void EmptyCrlWithExtensions () { // bug #75406 // http://bugzilla.ximian.com/show_bug.cgi?id=75406 X509Crl crl = new X509Crl (emptyCrl); Assert.AreEqual (0, crl.Entries.Count, "Entries.Count"); Assert.AreEqual (3, crl.Extensions.Count, "Extensions.Count"); }
public void EmptyCrl () { // bug #78901 // http://bugzilla.ximian.com/show_bug.cgi?id=78901 X509Crl crl = new X509Crl (bug78901); Assert.AreEqual (0, crl.Entries.Count, "Entries.Count"); Assert.AreEqual (0, crl.Extensions.Count, "Extensions.Count"); }
static X509Certificate FindCrlIssuer (X509Crl crl) { string name = crl.IssuerName; byte [] aki = GetAuthorityKeyIdentifier (crl.Extensions ["2.5.29.35"]); X509Certificate cert = FindCrlIssuer (name, aki, X509StoreManager.IntermediateCACertificates); if (cert != null) return cert; return FindCrlIssuer (name, aki, X509StoreManager.TrustedRootCertificates); }
static bool VerifyCrl (X509Crl crl) { X509Certificate issuer = FindCrlIssuer (crl); if (issuer == null) return false; if (!crl.VerifySignature (issuer)) return false; chain.Reset (); return chain.Build (issuer); }
public void basicConstraintsCriticalcAFalseCACRL () { X509Crl crl = new X509Crl (basicConstraintsCriticalcAFalseCACRL_crl); Assert.AreEqual (0, crl.Entries.Count, "Entries.Count"); Assert.AreEqual (2, crl.Extensions.Count, "Extensions.Count"); Assert.IsTrue (crl.IsCurrent, "IsCurrent"); // true till 2011 Assert.AreEqual ("C=US, O=Test Certificates, CN=basicConstraints Critical cA False CA", crl.IssuerName, "IssuerName"); Assert.AreEqual (634388218400000000, crl.NextUpdate.ToUniversalTime ().Ticks, "NextUpdate"); Assert.AreEqual ("32-BC-12-1F-84-D0-B6-3E-72-A0-FB-D9-75-99-CA-E5-2A-05-09-E6-C8-27-74-47-1C-DC-0C-D4-9F-BC-9F-B2-62-25-B4-6D-5B-E5-0B-E8-2A-8E-07-EB-3E-6B-C5-1E-9A-D2-14-FD-89-5B-C3-10-BF-19-77-67-0A-33-45-1B-BC-6C-ED-AF-84-30-59-FB-7C-71-95-63-60-31-9B-9B-0A-EA-77-F1-70-F1-B9-2E-D1-A9-04-42-66-94-B9-54-48-DB-44-56-56-1A-57-5A-01-0E-7C-4D-D7-C0-1F-5C-6F-13-F5-A3-57-88-6A-9A-71-CD-D5-AE-C3-00-B1-28", BitConverter.ToString (crl.Signature), "Signature"); Assert.AreEqual ("1.2.840.113549.1.1.5", crl.SignatureAlgorithm, "SignatureAlgorithm"); Assert.AreEqual (631232890400000000, crl.ThisUpdate.ToUniversalTime ().Ticks, "ThisUpdate"); Assert.AreEqual (2, crl.Version, "Version"); X509Certificate cert = new X509Certificate (basicConstraintsCriticalcAFalseCACert_crt); // certificate has CA set to false Assert.IsFalse (crl.VerifySignature (cert), "VerifySignature(cert)"); Assert.IsTrue (crl.VerifySignature (cert.RSA), "VerifySignature(RSA)"); }
public void Import(X509Crl crl) { CheckStore(_storePath, true); if (_newFormat) { throw new NotSupportedException(); } string filename = Path.Combine(_storePath, GetUniqueName(crl)); if (!File.Exists(filename)) { using (FileStream fs = File.Create(filename)) { byte[] data = crl.RawData; fs.Write(data, 0, data.Length); } ClearCrls(); // We have modified the store on disk. So forget the old state. } }
private bool ProcessCrlExtensions(MX.X509Crl crl) { foreach (MX.X509Extension ext in crl.Extensions) { if (ext.Critical) { switch (ext.Oid) { case "2.5.29.20": // cRLNumber case "2.5.29.35": // authorityKeyIdentifier // we processed/know about this extension break; default: return(false); } } } return(true); }
static void Download (string url, X509Store store) { if (verbose) Console.WriteLine ("Downloading: {0}", url); WebClient wc = new WebClient (); string error = "download"; try { byte [] data = wc.DownloadData (url); error = "decode"; X509Crl crl = new X509Crl (data); error = "import"; store.Import (crl); } catch (Exception e) { Console.WriteLine ("ERROR: could not {0}: {1}", error, url); if (verbose) { Console.WriteLine (e); Console.WriteLine (); } } }
private MX.X509Crl FindCrl(X509Certificate2 caCertificate) { string subject = caCertificate.SubjectName.Decode(X500DistinguishedNameFlags.None); string ski = GetSubjectKeyIdentifier(caCertificate); // consider that the LocalMachine directories could not exists... and cannot be created by the user MX.X509Crl result = (LMCAStore.Store == null) ? null : CheckCrls(subject, ski, LMCAStore.Store.Crls); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserCAStore.Store.Crls); if (result != null) { return(result); } } // consider that the LocalMachine directories could not exists... and cannot be created by the user result = (LMRootStore.Store == null) ? null : CheckCrls(subject, ski, LMRootStore.Store.Crls); if (result != null) { return(result); } if (location == StoreLocation.CurrentUser) { result = CheckCrls(subject, ski, UserRootStore.Store.Crls); if (result != null) { return(result); } } return(null); }
private X509ChainStatusFlags CheckRevocation(X509Certificate2 certificate, X509Certificate2 ca_cert, bool online) { // change this if/when we support OCSP X509KeyUsageExtension kue = (ca_cert.Extensions["2.5.29.15"] as X509KeyUsageExtension); if (kue != null) { // ... verify CrlSign is set X509KeyUsageFlags success = X509KeyUsageFlags.CrlSign; if ((kue.KeyUsages & success) != success) { // FIXME - we should try to find an alternative CA that has the CrlSign bit return(X509ChainStatusFlags.RevocationStatusUnknown); } } MX.X509Crl crl = FindCrl(ca_cert); if ((crl == null) && online) { // FIXME - download and install new CRL // then you get a second chance // crl = FindCrl (ca_cert, ref valid, ref out_of_date); // We need to get the subjectAltName and an URI from there (or use OCSP) // X509KeyUsageExtension subjectAltName = (ca_cert.Extensions["2.5.29.17"] as X509KeyUsageExtension); } if (crl != null) { // validate the digital signature on the CRL using the CA public key // note #1: we can't use X509Crl.VerifySignature(X509Certificate) because it duplicates // checks and we loose the "why" of the failure // note #2: we do this before other tests as an invalid signature could be a hacked CRL // (so anything within can't be trusted) if (!crl.VerifySignature(ca_cert.PublicKey.Key)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } MX.X509Crl.X509CrlEntry entry = crl.GetCrlEntry(certificate.MonoCertificate); if (entry != null) { // We have an entry for this CRL that includes an unknown CRITICAL extension // See [X.509 7.3] NOTE 4 if (!ProcessCrlEntryExtensions(entry)) { return(X509ChainStatusFlags.Revoked); } // FIXME - a little more is involved if (entry.RevocationDate <= ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.Revoked); } } // are we overdue for a CRL update ? if so we can't be sure of any certificate status if (crl.NextUpdate < ChainPolicy.VerificationTime) { return(X509ChainStatusFlags.RevocationStatusUnknown | X509ChainStatusFlags.OfflineRevocation); } // we have a CRL that includes an unknown CRITICAL extension // we put this check at the end so we do not "hide" any Revoked flags if (!ProcessCrlExtensions(crl)) { return(X509ChainStatusFlags.RevocationStatusUnknown); } } else { return(X509ChainStatusFlags.RevocationStatusUnknown); } return(X509ChainStatusFlags.NoError); }
// but anyway System.dll v2 doesn't expose CRL in any way so... static string GetAuthorityKeyIdentifier(MX.X509Crl crl) { return(GetAuthorityKeyIdentifier(crl.Extensions ["2.5.29.35"])); }
private X509Crl LoadCrl (string filename) { byte[] data = Load (filename); X509Crl crl = new X509Crl (data); return crl; }
private string GetUniqueName (X509Crl crl) { string method; byte[] name = GetUniqueName (crl.Extensions); if (name == null) { method = "tbp"; // thumbprint name = crl.Hash; } else { method = "ski"; } return GetUniqueName (method, name, ".crl"); }
public void Remove (X509Crl crl) { string filename = Path.Combine (_storePath, GetUniqueName (crl)); if (File.Exists (filename)) { File.Delete (filename); ClearCrls (); // We have modified the store on disk. So forget the old state. } }
public void Import (X509Crl crl) { CheckStore (_storePath, true); string filename = Path.Combine (_storePath, GetUniqueName (crl)); if (!File.Exists (filename)) { using (FileStream fs = File.Create (filename)) { byte[] data = crl.RawData; fs.Write (data, 0, data.Length); } ClearCrls (); // We have modified the store on disk. So forget the old state. } }
static void Download (string url, X509Store store) { if (verbose) Console.WriteLine ("Downloading: {0}", url); WebClient wc = new WebClient (); string error = "download"; try { byte [] data = wc.DownloadData (url); error = "decode"; X509Crl crl = new X509Crl (data); error = "import"; // warn if CRL is not current - but still allow it to be imported if (!crl.IsCurrent && verbose) Console.WriteLine ("WARNING: CRL is not current: {0}", url); // only import the CRL if its signature is valid and coming from a trusted root if (VerifyCrl (crl)) store.Import (crl); else Console.WriteLine ("ERROR: could not validate CRL: {0}", url); } catch (Exception e) { Console.WriteLine ("ERROR: could not {0}: {1}", error, url); if (verbose) { Console.WriteLine (e); Console.WriteLine (); } } }
public void Remove(X509Crl crl) { throw new NotImplementedException("Mono.Security.X509.X509Store.Remove(X509Crl)"); }
static void DisplayCrl (X509Crl crl, bool machine, bool verbose) { Console.WriteLine ("X.509 v{0} CRL", crl.Version); Console.WriteLine (" Issuer Name: {0}", crl.IssuerName); Console.WriteLine (" This Update: {0}", crl.ThisUpdate); Console.WriteLine (" Next Update: {0} {1}", crl.NextUpdate, crl.IsCurrent ? String.Empty : "update overdue!"); Console.WriteLine (" Unique Hash: {0}", CryptoConvert.ToHex (crl.Hash)); if (verbose) { Console.WriteLine (" Signature Algorithm: {0}", crl.SignatureAlgorithm); Console.WriteLine (" Signature: {0}", CryptoConvert.ToHex (crl.Signature)); int n = 0; foreach (X509Crl.X509CrlEntry entry in crl.Entries) { Console.WriteLine (" #{0}: Serial: {1} revoked on {2}", ++n, CryptoConvert.ToHex (entry.SerialNumber), entry.RevocationDate); } } }
public void Remove (X509Crl crl) { if (_newFormat) throw new NotSupportedException (); string filename = Path.Combine (_storePath, GetUniqueName (crl)); if (File.Exists (filename)) { File.Delete (filename); ClearCrls (); // We have modified the store on disk. So forget the old state. } }
static ArrayList LoadCRLs (string filename) { X509Crl crl = null; ArrayList list = new ArrayList (); switch (Path.GetExtension (filename).ToUpper ()) { case ".P7B": case ".SPC": SoftwarePublisherCertificate spc = SoftwarePublisherCertificate.CreateFromFile (filename); list.AddRange (spc.Crls); spc = null; break; case ".CRL": using (FileStream fs = File.OpenRead (filename)) { byte[] data = new byte [fs.Length]; fs.Read (data, 0, data.Length); crl = new X509Crl (data); } list.Add (crl); break; default: Console.WriteLine ("Unknown file extension: {0}", Path.GetExtension (filename)); break; } return list; }
public void Remove (X509Crl crl) { string filename = Path.Combine (_storePath, GetUniqueName (crl)); if (File.Exists (filename)) { File.Delete (filename); } }
public void Import (X509Crl crl) { CheckStore (_storePath, true); string filename = Path.Combine (_storePath, GetUniqueName (crl)); if (!File.Exists (filename)) { using (FileStream fs = File.Create (filename)) { byte[] data = crl.RawData; fs.Write (data, 0, data.Length); } } }